The following example policy will automatically create a CloudWatch Event Rule
triggered Lambda function in your account and region which will be triggered
anytime a user logs in from an invalid IP address. If the source IP address of
the event is outside of the provided ranges in the policy then notify the admins
security team for further investigation. Using the cloudtrail mode provides near
real-time auto-remediation (typically within 1-2 mins) of the event occuring.
Having such a quick auto-remediation action greatly reduces an attack window!
By notifying the cloud admins or security team they can validate the login and
revoke the login session if it’s not valid followed by changing the password for
or disabling the comprimised user etc.

In the below example the filter being applied is regex and reads as follows:
-Notify if the source IP address of the event is not from one of the valid IP CIDRs
- 158.103.0.0/16
- 142.179.0.0/16
- 187.39.0.0/16
- 12.0.0.0/8
You can generate the Regex for IP ranges on a site like:
http://www.analyticsmarket.com/freetools/ipregex

policies:-name:invalid-ip-address-login-detectedresource:accountdescription:|Notifies on invalid external IP console loginsmode:type:cloudtrailevents:-ConsoleLoginfilters:-not:-type:eventkey:'detail.sourceIPAddress'value:|'^((158\.103\.|142\.179\.|187\.39\.)([01]?[0-9]?[0-9]|2[0-4][0-9]|25[0-5])\.([01]?[0-9]?[0-9]|2[0-4][0-9]|25[0-5]))|(12\.([01]?[0-9]?[0-9]|2[0-4][0-9]|25[0-5])\.([01]?[0-9]?[0-9]|2[0-4][0-9]|25[0-5])\.([01]?[0-9]?[0-9]|2[0-4][0-9]|25[0-5]))$'op:regexactions:-type:notifytemplate:default.htmlpriority_header:1subject:"LoginFromInvalidIPDetected-[custodian{{account}}-{{region}}]"violation_desc:"AUserHasLoggedInExternallyFromAInvalidIPAddressOutsideTheCompany'sRange:"action_desc:|"Please investigate and revoke the invalid session alongwith any other restrictive actions if appropriate"to:-CloudAdmins@Company.com-SecurityTeam@Company.comtransport:type:sqsqueue:https://sqs.us-east-1.amazonaws.com/12345678900/cloud-custodian-mailerregion:us-east-1

Note that the notify action requires the cloud custodian mailer tool to be installed.